Compliance Management System

The *FIRST STEP* Board and Management should take in providing for the Administration of the Compliance Program *(Regardless of Size or Bank Complexity)* IS:

*Designation of a COMPLIANCE OFFICER*

In a LARGER more COMPLEX Bank the Compliance Officer MAY:

*Devote ALL of his or her TIME to Compliance Activities*

For Example: *A Small Bank may not have the Compliance Program in writing*, BUT

*Effective Monitoring System has been established that ensures Overall compliance*

MONITORING is a PROACTIVE APPROACH by the Bank to:

*Identify Procedural or Training Weaknesses in an Effort to Preclude Regulatory Violations.*

Monitoring and Audit play an important, BUT Different Role in supporting the CMS, AND

*It should NOT be Assumed that if a Bank has a Strong Monitoring Function, that risks are Appropriately Mitigated* *(MANY BANKS NEED BOTH MONITORING AND AUDIT)*

Board and Management's Response to the Audit Report SHOULD BE:

*PROMPT*

When *MORE THAN 1 PERSON* is Responsible for Compliance Matters:

*Responsibility and Accountability MUST BE CLEARLY DEFINED*

Changes in Regulation, Business Operations, Products, or Services

*SHOULD TRIGGER* a Review of *Established Compliance Procedures*. *(Modifications should be made QUICKLY to minimize Compliance Risk and everyone should be notified of the changes)*

The Formality of the Compliance Program is NOT AS IMPORTANT AS:

*The Effectiveness.*

A Written Compliance Audit Report *SHOULD INCLUDE*:

- *Scope of the Audit* (including departments, branches, product types, and 3rd party relationships reviewed); - *Deficiencies or Modifications identified*; - *Number of Transactions Sampled by Category of Product Type*; AND - *Descriptions of, or Suggestions for, Corrective Action and Time Frames for Correction*

Procedures *SHOULD BE* Established for:

- Addressing Complaints; - Individuals and Departments Responsible for Handling them SHOULD be Designated and Known to ALL BANK PERSONNEL to Expedite Responses. *(Bank should be prepared to Handle Complaints PROMPTLY)*

No TWO Compliance Programs will be the Same, and the *Formality of a Program WILL BE DICTATED by NUMEROUS CONSIDERATIONS*, Including:

- Bank's Size, Number of Branches, and Organizational Structure; - Business Strategy of the Bank (Community Bank vs Regional; or Retail vs Wholesale); - Complexity of Products and Services Offered; - Staff Experience and Training; - Type and Extent of 3rd Party Relationships; - Location of the Bank (main office and branches; AND - Other influences, Such as Whether the Bank is involved in Interstate or International Banking.

An Effective CMS is commonly comprised of:

- Board and Management Oversight; AND - Compliance Program

Key Actions Board and Management May take to Demonstrate their Commitment to Maintaining an effective CMS INCLUDE:

- Demonstrating Clear and Unequivocal Expectations about Compliance, NOT ONLY within the Bank, but also to 3rd Party Providers; - Adopting Clear Policy Statements; - Appointing a Compliance Officer with Authority and Accountability; - Allocating Resources to Compliance functions commensurate with the level and complexity of the Bank's Operations; - Anticipating and Elevating changes in the Bank's operating environment and implementing responses across impacted lines of business; - Identifying compliance risk in the Bank's products, services, and other activities, and Responding to deficiencies and violations; - Conducting periodic compliance audits; AND - Providing RECURRENT REPORTS by the Compliance Officer to the Board.

A Compliance Officer's General Responsibilities, Regardless of Size and Complexity of the Bank's Operations, INCLUDE:

- Developing Compliance Policies and Procedures; - Training Management and Employees in Consumer Protection Laws and Regulations; - Reviewing Policies and Procedures for Compliance with Applicable Laws and Regulations and the Bank's stated policies and procedures; - Assessing Emerging Issues or Potential Liabilities; - Coordinating Responses to Consumer Complaints; - Reporting Compliance Activities and Audit/Review Findings to the Board; AND - Ensuring Corrective Actions are Implemented in a Timely Fashion and are Effective at Preventing Recurrence.

Board and Management SHOULD:

- Discuss compliance topics during their meetings; - Include compliance matters in their communications to Bank personnel and general public; - Ensure management and staff have a clear understanding that compliance is important to the Board and Management; AND - Expected to Incorporate Compliance in their Daily Operations.

An Effective Compliance TRAINING Program is:

- Frequently Updated with Current, Complete, and Accurate Information on: -Products and Services and Business Operations of the Bank; - Consumer Protection Laws and Regulations; - Internal Policies and Procedures, AND - Emerging Issues in the Public Domain

FOR EXAMPLE: Loan Officers and Other Front-Line Employees Regularly Interacting with LOAN APPLICANTS SHOULD BE:

- Fully Informed About the Loan Products and Services Offered by the Bank; AND - Thoroughly knowledgeable about ALL ASPECTS of the applicable consumer credit protection laws and regulations.

A Qualified Compliance Officer will:

- Have Knowledge and Understanding of *ALL CONSUMER PROTECTION LAWS and REGULATIONS* that apply to the Business Operations of the Bank; - Have *general knowledge of the overall operations of the Bank*; - *Interact with All of the departments and branches to keep abreast of changes (new products, personnel turnover) that may require action to manage perceived risk*

Compliance Management System is how a Bank:

- Learns about its compliance responsibilities; - Ensures that employees understand these responsibilities; - Ensures that requirements are incorporated into business processes; - Reviews operations to ensure responsibilities are carried out and requirements are met; AND - Takes Corrective Action and Updates Materials as necessary.

Noncompliance with Federal Consumer Protection Laws can result in:

- Monetary Penalties, - Litigation, and - Formal Enforcement Actions.

Banks SHOULD INCLUDE the Compliance Officer in:

- Planning; - Development; and - Implementation of Business Operations to: Increase the Likelihood of Success of its Compliance Monitoring Function.

The Compliance Program INCLUDES:

- Policies and Procedures; - Training; - Monitoring AND/OR Audit; and - Consumer Complaint Response.

A well planned, implemented, and maintained Compliance Program Will:

- Prevent or Reduce Regulatory Violations; - *Provide Cost Efficiencies*; and - Is a Sound Business Step.

Monitoring Reviews are ESPECIALLY IMPORTANT AFTER:

- Problems have been identified During Past Audits or Examinations; - Regulation Changes; - New Products are Introduced; - Mergers Occur; OR - When Additional Branch Locations are opened.

An Audit may be Once a Year or May be Ongoing Where all

- Products and services, - All applicable operations, - Departments and branches are addressed on a Staggered Basis.

Contracts with 3rd Parties SHOULD:

- Set Clear Expectations for Adherence to Relevant Laws and Regulations; AND The applicability of Regulatory Guidance; and - Management SHOULD ENSURE that sufficient Policies and Procedures are in place to control the risks associated with a particular 3rd Party.

An AUDIT is an *INDEPENDENT ASSESSMENT* and *VALIDATION* of a Bank's:

- System of Internal Controls, - Operations, and - Compliance Risk Management Framework. (It Complements the Monitoring System)

Line Management and Staff SHOULD RECEIVE:

- Timely, - Specific; - Comprehensive TRAINING in: (a) Laws and Regulations; and (b) Internal Policies and Procedures that Directly affect their jobs.

Every FDIC-Insured Bank MUST HAVE:

An Effective CMS adapted to its Unique Business Strategy.

Policies should be established that INCLUDE Goals and Objectives AND:

Appropriate Procedures for Meeting Those Goals and Objectives.

Every Bank SHOULD HAVE Monitoring AND/OR Audit Functions that are:

Appropriate for their: - Size, - Complexity; and - Risk Profile.

The responsibility for ensuring that a Bank and its 3RD PARTY PROVIDERS are in Compliance with Consumer Protection Laws and Regulations Appropriately Rests With:

Board and Management of the Bank.

A *Compliance Committee* as an *ALTERNATIVE TO* or *IN ADDITION TO* a Full-Time Compliance Officer:

Can be formed *CONSISTING OF*: - The Compliance Officer; - Representatives from Various Departments; and - Members of Management or the Board. (Ultimate Responsibility of Overall compliance with all statutes and regulations STILL resides with the Board)

A Bank Should *generally Establish a FORMAL, WRITTEN:*

Compliance Program.

Regardless of the Degree of Formality, Banks are Expected to Manage their Compliance Programs *PROACTIVELY* to Ensure Compliance:

Compliance efforts require an ongoing commitment from *ALL LEVELS* of management and should be a part of a Bank's daily business operations.

Board and Management Oversight is *ULTIMATELY RESPONSIBLE* for:

Developing and Administering a CMS that ensures Compliance with Federal Consumer Protection Laws and Regulations.

The Compliance Officer SHOULD BE Responsible for Compliance Training and:

ESTABLISH a REGULAR TRAINING SCHEDULE for: - Directors; - Management; - Staff; and - 3rd Party Service Providers (where appropriate).

Training of the Bank's Board, management, and Staff is:

Essential to Maintaining an Effective Compliance Program.

An effective Compliance Risk Management Process will Vary DEPENDING ON the Complexity and Risk Potential of the 3rd Party Relationship, BUT:

Generally includes: - Risk Assessment; - Due Diligence in selecting 3rd Party Provider; - Appropriate Contract Structuring and Review; AND - Sufficient Oversight of 3rd Party Activities (Including Quality Control over Products or Services Provided)

When Developing the Organizational Structure of the Compliance Program, Board and Management MUST:

Grant the Compliance Officer *SUFFICIENT AUTHORITY and INDEPENDENCE* to: - Cross Departmental Lines; - Have Access to All Areas of the Bank's Operations; AND - Effect Corrective Action.

Compliance Officer MUST BE provided with: - Ongoing Training; and - Sufficient Time and Resources to do the Job:

In order to be effective at overseeing compliance and maintaining a strong Compliance Posture.

Generally, A *STRONG* Compliance Audit WILL:

Incorporate *VIGOROUS* Transaction Testing.

HOWEVER, *During periods of Expansion or Turnover of Staff, A Written Compliance Program becomes more Important because*:

Individuals with the Particular Knowledge or Experience *MAY NO LONGER* be with the Bank or Available for Contact.

The Compliance Officer SHOULD RECEIVE a Copy of All Compliance Audit Reports and Act to Address Noted Deficiencies and Required Changes to Ensure Full Compliance with Consumer Protection Laws and Regs.

Management SHOULD ALSO establish FOLLOW-UP Procedures to Verify, AT A LATER DATE, that the corrective actions were *LASTING and EFFECTIVE*

For Example: Verification of an Annual Percentage Rate or Second Review of a Loan Application *BEFORE THE TRANSACTION IS COMPLETED*

Monitoring at this level Helps Establish Management and Staff Accountability and Identifies Potential Problems in a Timely Manner.

In *SMALLER or LESS Complex Banks, where staffing is limited, a Full-Time Compliance Officer MAY*:

Not be Necessary, INSTEAD: - Compliance Responsibilities MAY BE Divided between Various Individuals by Type of Regulation, SUCH AS Loan-Related or Deposit-Related regulations. *(In Some cases, Several banks MAY SHARE a Compliance Officer)*

Training can be conducted IN-HOUSE or Through External Training Programs or Seminars.

Once Personnel have Been Trained in 1 Subject, A compliance officer should Periodically Assess the Employee's Knowledge and Comprehension of the Subject Matter.

Policy Statements on Compliance Topics:

Provide a framework for the Bank's procedures and provide a clear communication to management and employees of the Board's intentions towards compliance.

An *EFFECTIVE MONITORING SYSTEM* includes:

Regularly Scheduled Reviews of: - Disclosures and Calculations for various product offerings; - Document Filing and Retention Procedures; - Posted Notices, Marketing Literature, and Advertising; - Various State Usury and Consumer Protection Laws and Regs; AND - Internal Compliance Communication Systems that Update and Revise the Applicable Laws and Regulations to Management and Staff.

Monitoring ALSO INCLUDES:

Reviews at the *Transaction Level* During *NORMAL DAILY ACTIVITIES of EMPLOYEES* in Every Operating Unit of the Bank

Regardless of Whether the Audit is conducted By Bank Personnel or Externally (accounting firm or contractor):

The *AUDIT FINDINGS* should be *DIRECTLY REPORTED to the BOARD OR Committee of the Board*

Audits can be performed INTERNALLY or EXTERNALLY as long as:

The *Individuals that perform Audit Activities* are *Independent of the Areas Being Audited*

If a Bank engages the Services of a 3rd Party, The Board and Management *MUST ENSURE* that:

The 3rd Party Operations, Products, Services, and Activities are Reviewed for Compliance with Consumer Protection Laws and Regulations

The compliance officer MAY Utilize 3rd Party Service Providers or Consultants to Help Administer the Compliance Program and Audit Functions; HOWEVER

The Compliance Officer *SHOULD PERFORM* sufficient *DUE DILIGENCE* to Verify the Provider is Qualified, Because Ultimately the Bank's Board and Management are Responsible for Identifying and Controlling compliance risks arising from 3rd party relationships, TO THE SAME extent as if the 3rd party was handled within the Bank.

Complaints *MAY BE* Indicative of Compliance Weaknesses in a particular department or function; *THEREFORE*:

The Compliance Officer SHOULD Determine the Cause of the Complaint and Take Action to Improve the Bank's Business Practices, as appropriate.

The Compliance Program is NOT STATIC,

The Compliance Program MUST BE Dynamic and Constantly Amended on an Ongoing Basis to Focus Resources where they are needed Most BASED UPON risks to the Bank.

The Board of Directors *SHOULD DETERMINE the SCOPE of the Audit and FREQUENCY* with which audits are Conducted.

The Scope and Frequency should Consider Factors SUCH AS: - Expertise and Experience of Various Bank Personnel; - Organization and Staffing of Compliance Function; - Volume of Transactions; - Complexity of Products Offered; - Number and Type of Consumer Complaints Received; - Number and Type of Branches; - Acquisition or Opening of Additional Branches; - Size of the Bank; - Organizational Structure of the Bank; - Outsourcing of Functions to 3rd Party Service Providers, including a review of agreements signed or made between the Bank and Vendors; - Degree to Which Policies and Procedures are defined and detailed in Writing; AND - Magnitude and Frequency of Changes to Any of the Above.

Compliance Officers SHOULD Monitor Employee Performance to Ensure they are *Following Established Internal Policies and Procedures*

The frequency and volume of Employee Turnover at a Bank Should be factored into the *SCHEDULE OF REVIEWS*

A Bank SHOULD Monitor Complaints to and or About:

Third Parties that are Providing Services on behalf of the Bank.

The bank's Policies and Procedures SHOULD PROVIDE Bank Personnel with all of the information needed to perform a Business Transaction.

This MAY INCLUDE: - Applicable Regulation Cites and Definitions; - Sample Forms with Instructions; - Bank Policy; AND - (Where appropriate) Directions for Routing, Reviewing, Retaining, and Destroying Transaction Documents. *(For Example: Loan Application procedures SHOULD BE ESTABLISHED so that Bank personnel consistently treat ALL APPLICANTS equitably and fairly)*